OVERVIEW

Spammed via email, Dropped by other malware, Downloaded from the Internet

ZEUS variants may be downloaded unknowingly from malicious websites or dropped by other malware onto the systems of unsuspecting users. They may also arrive on a system via spammed messages.

Variants may connect to a remote site to download a configuration file to determine the targeted sites. ZEUS variants also have rootkit capabilities. Upon installation, they create folders with attributes to System and Hidden to prevent users from discovering and removing its components.

The ZEUS malware family is used for data theft. Variants monitor the user's Web browsing activities using the browser window titles or address bar URLs as triggers for its attack. Variants insert JavaScript codes into legitimate banks’ web pages. It sends the gathered information via HTTP POST to remote URLs. Cybercriminals may then use this information for their malicious activities. Cybercriminals may either steal money directly from the victim or they may sell the information in underground markets.

ZEUS variants are capable of disabling Windows Firewall and of injecting themselves into processes to become memory-resident. It also terminates itself if certain known firewall processes are found on the system. Variants add registry entries to ensure automatic execution at every system startup.

As mentioned earlier, ZEUS variants are designed for data theft or to steal account information. The account information may come from various sites like online banking, social networking, and e-commerce sites.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Steals information

Installation

This spyware drops the following files:

%System Root%\Recycle.Bin\Recycle.Bin.exe

%System Root%\Recycle.Bin\config.bin

{malware folder}\mxwqp.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

%System%\sdra64.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

%User Profile%\Application Data\VMware

%System Root%\Recycle.Bin

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This spyware modifies the following registry entries to ensure it automatic execution at every system startup: